cbcvebase.
CVE-2026-34909
published 2026-05-22

CVE-2026-34909: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system…

PriorityP194critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
2.27%
80.9th percentile
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

Affected

64 ranges· showing 25
VendorProductVersion rangeFixed in
ubiquiti_incefg< 5.1.125.1.12
ubiquiti_incenvr< 5.1.125.1.12
ubiquiti_incenvr-core< 5.1.125.1.12
ubiquiti_incexpress< 4.0.144.0.14
ubiquiti_incexpress_7< 5.1.125.1.12
ubiquiti_incucg-fiber< 5.1.125.1.12
ubiquiti_incucg-industrial< 5.1.125.1.12
ubiquiti_incucg-max< 5.1.125.1.12
ubiquiti_incucg-ultra< 5.1.125.1.12
ubiquiti_incuck< 5.1.125.1.12
ubiquiti_incuck-enterprise< 5.1.125.1.12
ubiquiti_incuckp< 5.1.125.1.12
ubiquiti_incudm< 5.1.125.1.12
ubiquiti_incudm-beast< 5.1.115.1.11
ubiquiti_incudm-pro< 5.1.125.1.12
ubiquiti_incudm-pro-max< 5.1.125.1.12
ubiquiti_incudm-se< 5.1.125.1.12
ubiquiti_incudr< 5.1.125.1.12
ubiquiti_incudr-5g< 5.1.125.1.12
ubiquiti_incudr7< 5.1.125.1.12
ubiquiti_incudw< 5.1.125.1.12
ubiquiti_incunas-2< 5.1.105.1.10
ubiquiti_incunas-4< 5.1.105.1.10
ubiquiti_incunas-pro< 5.1.105.1.10
ubiquiti_incunas-pro-4< 5.1.105.1.10

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for HTTP requests where the raw URI targets an authentication-exempt endpoint (e.g. /api/auth/validate-sso/) but resolves to a protected internal route after Nginx normalization — this is the authentication bypass mechanism for CVE-2026-34908/34909.
  • Monitor requests to the package-update endpoint (ucs/update/latest_package) for unvalidated user input being passed into shell commands — this is the CVE-2026-34910 command injection sink reached after the auth bypass.
  • Alert on unexpected sudo commands and child processes spawned under the 'ucs-update' service account, as the affected service account has passwordless sudo access making privilege escalation to root trivial.
  • CVE-2026-34909 is part of a three-CVE chain (CVE-2026-34908 auth bypass → CVE-2026-34909 path traversal → CVE-2026-34910 command injection) actively exploited in the wild to deploy commodity malware; treat all three as a single attack surface.
  • ·The Bishop Fox detection script does NOT detect active attacks, past exploitation, or the presence of persistence mechanisms/backdoors — a clean result does not rule out prior compromise.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.